From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Tue, 27 Oct 2020 18:59:14 +0000
Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2

Update the PAM files for Arch Linux. This has been applied downstream
since Aug 2020.

https://bugs.archlinux.org/task/67485
---
 data/meson.build                         |  1 -
 data/pam-arch/gdm-autologin.pam          | 22 +++++++++--------
 data/pam-arch/gdm-fingerprint.pam        | 31 +++++++++++++++---------
 data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++--------
 data/pam-arch/gdm-password.pam           | 17 +++++++------
 data/pam-arch/gdm-pin.pam                | 13 ----------
 data/pam-arch/gdm-smartcard.pam          | 31 +++++++++++++++---------
 7 files changed, 75 insertions(+), 64 deletions(-)
 delete mode 100644 data/pam-arch/gdm-pin.pam

diff --git a/data/meson.build b/data/meson.build
index 23e2d7f9..7c5222ea 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -134,7 +134,6 @@ pam_data_files_map = {
     'gdm-fingerprint',
     'gdm-smartcard',
     'gdm-password',
-    'gdm-pin',
   ],
   'none': [],
   # We should no longer have 'autodetect' at this point
diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 99b14209..30bdf529 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,13 +1,15 @@
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     optional  pam_gdm.so
-auth     optional  pam_gnome_keyring.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index a4808617..cc660d9a 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_fprintd.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the fingerprint
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_fprintd.so
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_fprintd.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
index d59c9cb9..20d1810a 100644
--- a/data/pam-arch/gdm-launch-environment.pam
+++ b/data/pam-arch/gdm-launch-environment.pam
@@ -1,13 +1,17 @@
-auth     required  pam_env.so
-auth     required  pam_succeed_if.so audit quiet_success user = gdm
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  required  pam_succeed_if.so audit quiet_success user = gdm
-account  optional  pam_permit.so
+auth       required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
 
-password required  pam_deny.so
+account    required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
+account    optional                    pam_permit.so
 
-session  optional  pam_keyinit.so force revoke
-session  required  pam_succeed_if.so audit quiet_success user = gdm
-session  required  pam_systemd.so
-session  optional  pam_permit.so
+password   required                    pam_deny.so
+
+session    optional                    pam_loginuid.so
+session    optional                    pam_keyinit.so       force revoke
+session    required                    pam_succeed_if.so    audit quiet_success user in gdm:gnome-initial-setup
+session    optional                    pam_permit.so
+-session   optional                    pam_systemd.so
+session    required                    pam_env.so           user_readenv=1
diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
index 8d34794e..137242a6 100644
--- a/data/pam-arch/gdm-password.pam
+++ b/data/pam-arch/gdm-password.pam
@@ -1,11 +1,12 @@
-auth     include   system-local-login
-auth     optional  pam_gnome_keyring.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       include                     system-local-login
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
-password optional  pam_gnome_keyring.so use_authtok
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   include                     system-local-login
+password   optional                    pam_gnome_keyring.so use_authtok
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam
deleted file mode 100644
index 135e205e..00000000
--- a/data/pam-arch/gdm-pin.pam
+++ /dev/null
@@ -1,13 +0,0 @@
-auth     requisite pam_pin.so
-auth     include   system-local-login
-auth     optional  pam_gnome_keyring.so
-
-account  include   system-local-login
-
-password include   system-local-login
-password optional  pam_pin.so
-password optional  pam_gnome_keyring.so use_authtok
-
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index ec6f75d5..e6ec1299 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_pkcs11.so wait_for_card card_only
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the smartcard
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_pkcs11.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
